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The present 1!| venation relates to a -method for defeating 
denial-of -service attack on authentication protocols using 
public key " ^ncryp||Lon, for a servfcr-to-client authentication 
and a computer ijbadable medium for recording a program 
iiciplemeiiting the method. 



Prior Art of igjh,e Invention 

si — ; 



In a ooiraxiUTLicitiotL through a computer network, a client 



authenticates a se^er using an encryption of a random number 



with the server 
authentication of 

technique. The suck 

F 

the server with 
demonstration guark 
authentic server, 
authent i caticin ar & 



js j public encryption key while the 

i 

the, client by the server may adopt: any 
essjful decryption of tne random number by 
the corresponding private key and its 
nte-es the client that the server is the 

Among examples of such a server 

i 

tKe Internet security protocol SSL/TLS 



As internet s 



(Secure Socket Layer/ Transport Layer Security) and the 
-authentication and:jj key agreement protocol of the personal 
access communication system (PACS) , one of the six personal 
communication system ( pes ) standards in North America. 

I •! 

services have been used in more aspects of 
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human life, a denifel-o£- service attack is becoming a growing 

concern. The denBal-of-service attack. _J.s _ one of the most 

l 

abased attack. Many things in human life, 
their Counterpart in the Internet world. 



i 

malicious Internet 
turned out to have 



connection requests. 

syn flooding 
known example of t 
a weakness in a 
typical procedure 
follows* ; 

At first, the 
message. In respo;?! 
the client (system 

i 

allocating buffer , 



The denial-of-servibe attack would be one example of them. 

The denial-of^service attack is an attack in which an 

1 1 

attacker seeks to initiate and leave unresolved a large number 
of connection requests to a Web server, exhausting its 
resources and rendering it incapable of servicing legitimate 

from other clients . 

ttack in TCP/IP networks is the most well 
.is attack. The ^SYN flooding attack exploits 
; pP connection establishment protocol. The 
if the TCP connection establishment is as 



client (system) sends the server a SYN 
se, the server sends a SYN-ACK message to 
and prepares the corresponding session by 
Space. The client (system) then finishes 



establishing the connection by responding with an ACK message* 
After this sequent, the client* (system) can exchange the 
service-specific da'}: a, with the server. 

However, the 'attacker does not follow the above sequence 



of messages- That 
the thi r d me s s age , 1 
Accordingly, the s 



is# the attacker fails on purpose to send 
i.e., the SYN-ACK message,, to the server. 
4ssion is left half-open until time out. 



Furthermore, the aitacker may initiate large amounts of syn 
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message© simultaneously to the server/ causing the server to 
be unable to handle the legitimate connection requests from 
other clients (sys^biaO - 

Using authentication protocol in the Internet environment 
is rather orthogonal to denial-of-service attacks. In other 

words, the authentication protocols themselves do not help 

■ 

prevent denial-of-^.ervice attacks, instead may give rise to 

snial-of -service attacks due to computation 



.another room for de 



The cryptograp 1 
the examples are v 
protocol approach 
, against ztie* attach 



load required to execute the authentication protocol . 

Although the Notorious sw tloodinging 'attacks can be 
minimized through c&kreful design and operation of the internet 

IT ' 

communication syst^s, tn@ authentication protocols could be 
another door to similar denial-of-service attacks, 

On the other tiand/ there has recently been introduced a 
cryptographic countibrmeasure' against denial-of -service attack . 



hie count erme a sure is a new issue, of which 
brmal treatment of the attack", ^stateless 
to make security protocol more robust 
r , and M client puzzle" wnicn enforces a 



II 

predetermined amount of computations on attackers to mitigate 
the attack. 



However, the client puzzle method should be implemented 



J 



separately from thje 'authentication protocol and furtheicmore 

jf • computations* on both the client and the 



requires overhead © 
server ♦ 

To authentic 
challenge-response 



|te the server with any cryptographic 
mechanism, the client chooses a random 
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number and sends xtg to, the server* According to the way this 

! Lit 

random number is handled, the authentication methods may be 

I: 

categorized into twjp different methods - 

I* ; — - 

The first is that! the client (system) can send the random 



5 number in the cldazi and then the server signs over the random 



number with its j iown certified private key to generate 
electronic signatuik data to transfer to the client (system) • 



The corresponding 
publicly and then 



f 

i n g If publi 



c verification key is available 



fef ore the client can check whether the 
signature was generated by and came Trom the server. 

provides the authenticity of the server's 



.Successful checking- 
identity. 

The second a 
using the public e 



from the client (system) to the server. The authentic server 



is then the only 
number from the 



1 1 1 1 

ciphertext using ±tf private decryption key and then transfers 



the decrypted random 
client checks whet lie* 



.both nvunbers match, 



weaknes s . As far 
however, the lattei 



[feernative is to encrypt the random number 
jcryption key of the server before delivery 



fentity to be able to retrieve the random 
I ciphertext * The server decrypts the 



number to the client (system) w The 
the decrypted random number from the 



server match the random number delivered to the server. If 



the server's identity is authenticated. 



Each of the aboye two methods has its own strength and 

I 

ks, ;denial-of-service attack is concerned, 



j method, i.e-, random number encryption, is 

preferable. This ijs 'because in the latter method the random 

'Si- 
number rrom the cljLemt is not just a random number but an 
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encrypted message 



thereof, which may be exploited to 



accommodate a countlbrmeasure against denial-of-service attacks. 

Summary of thus?! Invention 

y 

Therefore, it |i$ an object of the present invention to 
provide a method d;pr defeating denial-of ^service, applicable 
to any authentication protocols which adopts public key based 



encryption to aut 
excluding overhead 



in accordance 
^ther© ±s provided 
attack, for use in 
authenticates the 



.ehticate the server to the client and 
of public key- related: confutation© and a 
computer readable ^pdium for recording a program implementing 
the method - 

l.li 

with an aspect of the present invention, 

a method for defeating a denial -of-service 
I 

|a communication system in which the client 
lerver by sending encryption of a random 
challenge number uij^der the p\3blic 'encryption key of the server, 
the method 'including the steps of: (a) generating a random 



number r B In response, to a request for a service from a client 

r ■ 'j 1 

and sending the rapndpm number to the client; (b) receiving, 
from the client, the ciphertext produced by using the random 
number r e sent to 4ie' client and a random, number r A chosen by 
the client; (c) Recovering a random number tb from the 



ciphertext receivifa from the client and coKiparing the 



er with the random number sent to the 



k recovered random 
client; and (d) if 
Providing the servi 




i-the random numbers match at the step (c) , 
,.e, and, otherwise, denying the service. 



5 
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P. 8 



invention, thfere ijs provided a method for protecting from a 



denial~of-service 
au then t i c a t i on s y s "4; 

to the server a 



with another aspect of the present 



attack, applicable to a server 
ikm. in which a client_uses_ as the challenge 
!g!is crete exponentiation g rA modulo a prime 

h number p, a privatl,! key and a corresponding public key or a 

II ' 

server are respectively b and g b , and the ciphertext of the 
client's challenge jizsixig the public key of the server is g" A , 
the method inciudife the steps or; (a) the server's sending a 
random number r s toiihe client; (b) the client's sending, back 

■J : 

to the server, x dnd y values computed by using the random 
number sent to thejj client and the client's own random number 
r A as; jc = to*) r -** r * w|ere b is ''the private key of the server and 
g is the public jj-jkey of the server, and y = h(g fA ) where h 
represents a hash .||CUEiction; ' (c) comparing x and y from the 
* client with y as Bellows; y=h(x b g~*) where h represents the 



hash function; (d) Lf y matches y r providing a service to the 

■It 

client, and, othertijjfLse, denying the service. 

In accordance' 1 with another aspect of the present 
invention, there isr provided, in a communication systexa having 
a large capability {processor in which a client sends a server 
a ciphertext of a random number encrypted under the public key 



of the server to a 
medium for recordiii 



of: (a) at the server, generating a random number r B in 



jthenticate the* server, a computer readable 
a program for implementing the runctions 



DEC. 27. 2000 4= 48PM 



SHIN SUNG PATENT LAW FIRM 



NO. 692 



P. 9 



10 



15 



20 



25 



number r B sent to 
client; (c) at rhi 



' i i 

response to a ser^fce request from a client and sending the 

li 

random number to tl^p client; (b) at the server, receiving the 

ciphertext which is | produced by the client based on the random 

it 1 

fthe. client and a random number r A of the 
server, recovering the random number xe 
from the ciphertext*:! received from the client and comparing the 
recovered random iJl&mber with the random number sent to the 
client; and (d) if llfthe random numbers match at the step (c) , 

providing the serv^be, 'and, otherwise, denying the service* 

it 

Iti accordance 



invention , there 



with another aapect of the present 
ffi.5 provided, in a ssrver authentication 

system having a la:|ge capability processor, in which a client 

:! . 

uses a disrecte exponentiation g r * as a. random challenge to a 

{key and a public 3cey of the server are 
'! g , and a ciphertext of the client's 



server, a private 
respectively b and 



computer readable 



random number to a 
y values which the 

from the server as: 



challenge using tJe public key of the 



server is g 



J medium for recording a program for 



implementing th£ f junctions of: (a) at the server, sending a 



'ijplient; Cb) at the server, receiving x and 
client computed by using the random number 

x a lg*) r « +r ° where * is the private key of 
the server -and ^||| I 5 the public key of the server, and 
y-K& r *) where h represents a hash function; (c) at the server, 
comparing y from tjjjae client with y' as follows: y=/i(x 6-> g~ ,a ) ; 
and (d) if.y- and ^',1 match, providing a service to the client, 
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i 

Brief Description -of the Drawings 

f 
i 

5 The above and [other objects and features of the instant 

J 

invention will became apparent from the"" following description 
of preferred embodiments taken in con j miction with the 
accompanying drawirj&s, 'in which t 

Fig. 1 is a diiagfam of an eaibo diluent of a procedure for 

i ji 

10 protecting from A'Jnial-of-s£rvice attack in authentication 
protocols using public key encryption in accordance with the 
prcsBiit invention; 

Pig. 2 : shows diagram of an embodiment of a procedure 
for generating random numbers in accordance with the present 

'■!' 

• i 

15 invention; . ! 

Fig- 3 offer^ a, diagram of another embodiment of a 

! > 1 

procedure for prelecting from denial-of-service attack in 
authentication protocols using publi-s — key encryption in 
accordance with theit present invention; and 

Fig. 4 present^ a » diagram of an embodiment of a procedure 

for protecting froisiJ denial-of-service attack in authentication 

, i 

'is 1 1 

protocols using- pa^icular public key encryption in accordance 
with the present i^Ventlon- 

! * 
\i\ 

25 Preferred Embd&iment of the Invention 

1 ii 

! i 

:> 

Hereinafter, ' frpreiferred embodiments of the present 



20 



8 
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invention will be 



described in detail with, reference to the 



is 



accompanying drawiiigs , 



Fig. 1 is a djiagram of an embodiment of a procedure for 
protecting from djj^nial-of-service attack in authentication 

5 protocols uding public key encryption in accordance with, the 

i;" 

present invention, j' 

The basic concept of the pr-esent invention is that the 
client is required^, to encrypt a random number received from 
the server as well \hs its own random number. This is quite an 
10 extraordinary usage! of random number encryption in public key 
based authentication protocols. Thar is, in the present 

invention, an additional random number is used to ch^ck 

1 1 

whether the client; (system) generated a ciphertesst under a 

1 1 >' 



protocol- When thje client (system) encrypts and sends only 
Its own random njijjLcnber to 'the server, the random number 
decrypted at the server can provide no information about the 
procedure of the ci£>hertext of the client (system) because the 
random number has np meaning, on the contrary, if the random 

number or the server is included the cxphertext from the 

ft 

20 client (system) , tfcib random number of the server is included 

I- 

in the decrypted result so that the server can conclude that 
the ciphertext is ^Lnerated according to the correct procedure. 

As shown in ^iLg. 1, the server 100 generates a random 
number 101 and sefnds it to the client (system) 110. 

25 The client (sjfitem) 110, upon receiving 'the random number 

i ' 
i 

<r s 101 from the server 100, generates a random number r A 111 
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and encrypts the two random numbers r B 101 and r A 111 using the 
server's public ke^ji j§T 5 , and then the resulting ciphertext 112 
is sent to the server 100. 

The server 10'lDji decrypts the ciphertext 112 received from 

5 the client (systemj| 110 and retrieves the random numbers r s 

,m 

101 and r A 111 frorrijfthe ciphertext 112. 

The server 100| compares the retrieved value of the random 
number r B 101 with ' the ; value of the random number r B 101 which 

hi 

the server 100 serit to the client 110. The value of the 

'IS 

10 retrieved r $ and thj^f value of r s 101 which has been sent to the 

:!a 

client is to be luaijtched. Otherwise, the received ciphertext 
112 is not product by the proper protocol but is simply a 
garbage value sent '[by a malicious attacker. 

If the value pf the retrieved r s and the value of r 9 101 

\\ 

15 which has been serit to the client match, a next procedure 

i i s 

specified in the ajlthentication protocol to which the present 
invention is appli<J<k is executed. 

On the o their hand, without using_ this kind of 
countermeasure, th'ejre is no way for the server 100 to check 



whether the received ciphertext 112 is really the result of 



proper cryptographic computation, and hence even for a garbage 
value attack, thejjj sdrver 100 will execute a public key 
computation for decjjrypt-ion, send the subsequent message to the 
attacker, and finally will result in a state of the session 
25 left open waitingjfthe. next message rrom the attacker , Of 
course, the attacked will not send the response message, and 
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this session spends \\ resources of the server until time out* 

By using the jiethod as described above ] such a waste of 

session resources ©an. be saved. 

Fig, 2 shows \k 'diagram of an embodiment of a procedure 
for generating random numbers in accordance with the present 
invention. 

The random nuij&er> r s can even be generated in a way that 



enables the server 
of-service attacks; 

Usually, arte 
110, the server 100 



td achieve more robustness against denial- 



Si 

i 



101 is stored in 
with the received 
(system) 110. 

The problem eft 
TCP/IP environment 



che delivery or r B to the client (system) 

is expected to assign a unique session to 
the service requestjtn»g client (system) 110- In this situation, 

the value of the random number r g 101 is uniquely related to 

the corresponding Session. The value of the random number r s 

memory within the server to be compared 

value of random number r s from the client 



attacks. This problfem can be avoided as follows* 



That is, the 
resources to the c 
correctly produced 
particular value qi 
client sends the cc 

The particular 



the method is very similar to that of 
that leads to the notorious SYN flooding 



beaver delays the assignment of the system 

lient until the ciphertext is proven to be 

i 

;i*e», the server should not assign a 
|| ^ with a particular client before the 
'irrect ciphertext* 
value of r B is generated as follows. 
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As shown in Fplg. 2, the random number r is produced by 



201 and 



running a hash function H 200 with a master key K n 



an index index _t b 202! of the random number r B as the inputs. 

!' 

Here, the indtix index _r% 2 02 of the random number r B runs 

li 

from 0 to M-l where M is a preset parameter whose value is a 

I f 

sufficiently large jj number and can be freely chosen by the 

f ^ 

server system. 



25 



That is, when 1 , a new value of the random number r s is 

\' 

generated, the server runs the hash function with the master 

k®y Kmemr 2 0 1 and tjhe index index r s 202, of the random number 

\ 

r n , as the inputs^ And the hash result will be used as the 

if 

'value of the random-: number r R . 

Pig, 3 offers ilk diagram of an embodiment of a procedure, 
using the methods fcjhown in Fig, 1 and Fig. 2, for protecting 
from denial-of-serjfrice attack on authentication protocols 
using public key Encryption in accordance with the present 
invention* 

At first, in response to a service request 321 front the 
client (system) 32 Of, ths server 310 generates a new value of 
the random number j%\ 330 by an operation as follows: 

And then, the 'Server 310 sends 331 the generated value of 

the random number Jij* 330 and the 4 index index jr B of the random 

1 1, 

number r B to the Blient (system) 331 and increments 350 the 

jr 

index index _r B of tft'js random number r B . 



li 
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On receipt of '[jthe random number r B and the index index _r B 

\\\ 

of the random numkdsjb r B , the client (system) 320 generates its 

?; 

own random number , and encrypts r A and r B under the public 

1 ' i 
f ; 

encryption key K B . !; Here, the ciphertext in which r A and r B are 

pi 

encrypted under thei! public encryption key K B is represented as 



I i 



The client (sjjjstem) 320 sends 341 the ciphertext {r^r*}^ 

| -J 

with the random nuttaer r B and the index index ^r B or the random 
number r B to the se:bjver 310, 

When the server 320 receives the ciphertext 0^,^}^ from 
the client (system^! 320, using the received value of the index 
index _r B of the random number r B , i.t retrieves 360 from a look- 



up 



table 



or, 



alternatively, 



using 



the 



equation 



r# ^HiK meatffr Jndex_r B ) A f re-computes the corresponding value of r B . 

The server 3fJo decrypts 370 the received ciphertext 
^a^b}k £ arid "retrieve the value q£ r B which is compared with 
the value of r fl that! was retrieved or recomputed. 



} ! 



If both valued 



match , the server 310 is assured 380 that 



the client (system) 320 has formed honestly &nd sent the 
ciphertext \r A9 r M } KM which leads the server to the next step 

specified in the aJiheritication protocol. 

on the other ijjLna, if the match fails, the server 310 may 

' i \ 

conclude that the [jplient (system) 320 sent a fcogus message 



"which has nothin 



to do with the correct cryptographic 



13 



DEC . 27 . 2000 4= 51PM 



NO. 692 P. 16 



operation to computes the ciphertext fc,^}^ * i-@-, the client: 



10 



20 



25 



(system) 320 is trying denial-of-service attack. Therefore/ 
the server stops 3Sf$> this session. 

1 

Fig, 4 presents a diagram of an embodiment of & procedure 
for defeating deniial w of-service attack on authentication 

protocols using ©p^ci^l public key encryption in accordance 

'!} . 

♦ with the present indention . 

In a particular, encryption based on discrete log 



cryptographly, zh& 
(here/ g r * instead ' 



encryption of the client's random number 
of r A ) can be computed" as" g* A where g is a 
generator element ;©'p a finite cyclic group agreed between the 
client (system) an<i the server r and b and g b are the private 
key and the publijc key of the server, respectively. This 



particular form oijj 



is method as describe 



i 



encryption cannot easily accommodate the 
with reference to Fig, 1* This difficulty 



can be solved as fcjjjLlows. 



The server 400.! sends a random number r s 401 to the client: 



(system) 410 requeuing a service. 



The' client (system) 410 receiving the random number r s 
401 computes 411 x^(g b ) r * +r » and y^ h(g T *) , and sends both values 
to the server 400, [[where h is a hash function agreed between 
the server 400 and '(the client (system) 410. 

Ill 

The server 40qf receiving x and y computes 420 y=/»(* 6 " 1 ^"'* ) 

and compares 430 t^je result v^ith the received value of ^. 

If both valufejs are the same then the server 400 may 
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conclude that the | Client 410 lias sent honestly computed the 
required public kejir encryption. Therefore, the server 400 can 
go to 440 the next if Step specified in authentication protocol* 



Otherwise, thpi mismatch indicates that the client 410 is 



5 trying the denial~djE^service attack by sending a bogus message, 

; ! : ; 

and therefore the ^rver stops 450 the session. 

1 « r 

In this metjitod, there is no additional public key 
computation required in the client (system) side while the 
computation of g~ftj is to be computed by the server 300 ► 

' i 1 

10 'However, this commutation can always be handled offline not 
online- Accordingly, in practical operations, the generation 
of r B and the computation of g~ r * can be processed with batch 
computation* one exponentiation needed to compute the discrete 



exponentiation x*1l! in the computation of y*=k(x h ~ x g~ r *) is 

, i ; 

unavoidable becaus^; thp server requires the power computation 

! \ 

<£**)* J =g r * to retrieve g r * even when the- method of the present 

I : 

invention is not j! Employed * Accordingly, the intermediate 

value x g *==g r * dpes ' not require any additional discrete 

1 El 

exponent! at ion - \\ l 

The method a|s described above is applicable to any 
protocol in- which the client authenticates the server by using 

the public key enaction. 

iff 

As described jajbove, the method of the present invention 
can be implement edt/ as a program which can be recorded at a 

'.if 

25 computer readable medium* 

As described^ above, the present invention gives 
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robustness against: 



protocol itself, L&a&s no additional public key computation, 



and is applicable 
c 1 i ent au t hen t i cat 
random number with' 

Although the fsj 
been disclosed for 
art will be appre 
and substitutions 
scope and spirit 
accompanying claim^i 
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) , 

thle deniai-of-service to the authentication 



5o any authentication protocol in which the 

i 

as 1 the server by encrypting the client's 

1 1 

jbhie public key of the server* 

i 

referred embodiments of the invention have 
illustrative purpose, those skilled in the 
Jiate that various modifications, additions 
are possible, 'without departing from Zh& 
df the invention as disclosed in the 
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